Changeset 20762


Ignore:
Timestamp:
02/15/13 14:04:39 (7 years ago)
Author:
nikrou
Message:

Fix issue that altering picture page content
Fix possible sql injections issues

Location:
extensions/user_tags
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • extensions/user_tags/CHANGELOG

    r20252 r20762  
     1User Tags 0.7.3 - 2013-02-15 
     2================================ 
     3* Fix issue that altering picture page content 
     4* Fix possible sql injections issues 
     5 
    16User Tags 0.7.2 - 2013-01-18 
    27================================ 
  • extensions/user_tags/admin.php

    r20251 r20762  
    6262 
    6363$template->assign('U_HELP', get_root_url().'admin/popuphelp.php?page=readme'); 
    64 ?> 
  • extensions/user_tags/include/constants.inc.php

    r20251 r20762  
    2727define('T4U_JS', PHPWG_PLUGINS_PATH . basename(T4U_PLUGIN_ROOT). '/js'); 
    2828define('T4U_WS', 'user_tags.tags.'); 
    29 ?> 
  • extensions/user_tags/include/default_values.inc.php

    r20251 r20762  
    2222$default_values = array(); 
    2323$default_values['t4u_permission_update'] = null; 
    24 ?> 
  • extensions/user_tags/include/t4u_config.class.php

    r20252 r20762  
    8989       and is_autorize_status(get_access_type_status($this->getPermission($permission)))); 
    9090  } 
    91  
     91   
    9292  public static function plugin_admin_menu($menu) { 
    9393    $menu[] = array('NAME' => T4U_PLUGIN_NAME, 
    9494                    'URL' => get_admin_plugin_menu_link(T4U_PLUGIN_ROOT .'/admin.php') 
    9595                    ); 
    96  
     96     
    9797    return $menu; 
    9898  } 
     
    122122  } 
    123123} 
    124 ?> 
  • extensions/user_tags/include/t4u_content.class.php

    r20251 r20762  
    4747      $related_tags = array(); 
    4848      if (!empty($template->smarty->_tpl_vars['related_tags'])) { 
    49         foreach ($template->smarty->_tpl_vars['related_tags'] as $id => $tag_infos) { 
    50           $related_tags['~~'.$tag_infos['id'].'~~'] = $tag_infos['name'];  
    51         } 
    52         $template->assign('T4U_RELATED_TAGS', $related_tags); 
     49        foreach ($template->smarty->_tpl_vars['related_tags'] as $id => $tag_infos) { 
     50          $related_tags['~~'.$tag_infos['id'].'~~'] = $tag_infos['name'];  
     51        } 
     52        $template->assign('T4U_RELATED_TAGS', $related_tags); 
    5353      } 
    5454 
     
    5656      $template->assign_var_from_handle('PLUGIN_PICTURE_AFTER', 'add_tags'); 
    5757    } 
     58 
     59    return $content; 
    5860  } 
    5961 
     
    6567  } 
    6668} 
    67 ?> 
  • extensions/user_tags/include/t4u_ws.class.php

    r20252 r20762  
    4343    $query = 'SELECT id AS tag_id, name AS tag_name FROM '.TAGS_TABLE; 
    4444    if (!empty($params['q'])) { 
    45       $query .= sprintf(' WHERE name like \'%%%s%%\'', $params['q']); 
     45      $query .= sprintf(' WHERE name like \'%%%s%%\'', pwg_db_real_escape_string($params['q'])); 
    4646    } 
    4747     
     
    6868    $message = ''; 
    6969 
    70     $query = ' 
    71 SELECT 
    72     tag_id, 
    73     name AS tag_name 
    74   FROM '.IMAGE_TAG_TABLE.' AS it 
    75     JOIN '.TAGS_TABLE.' AS t ON t.id = it.tag_id 
    76   WHERE image_id = '.(int) $params['image_id'].' 
    77 ;'; 
     70    $query = 'SELECT tag_id, name AS tag_name'; 
     71    $query .= ' FROM '.IMAGE_TAG_TABLE.' AS it'; 
     72    $query .= ' JOIN '.TAGS_TABLE.' AS t ON t.id = it.tag_id'; 
     73    $query .= sprintf(' WHERE image_id = %s', pwg_db_real_escape_string($params['image_id'])); 
    7874     
    7975    $current_tags = $this->__makeTagsList($query); 
     
    107103      if (empty($tags_to_associate)) { // remove all tags for an image 
    108104        $query = 'DELETE FROM '.IMAGE_TAG_TABLE; 
    109         $query .= sprintf(' WHERE image_id = %d', $params['image_id']); 
     105        $query .= sprintf(' WHERE image_id = %d', pwg_db_real_escape_string($params['image_id'])); 
    110106        pwg_query($query); 
    111107      } else { 
  • extensions/user_tags/init.php

    r20252 r20762  
    4646 
    4747set_plugin_data($plugin['id'], $plugin_config); 
    48 ?> 
  • extensions/user_tags/main.inc.php

    r20252 r20762  
    2222/* 
    2323Plugin Name: User Tags 
    24 Version: 0.7.2 
     24Version: 0.7.3 
    2525Description: Allow visitors to add tag to images 
    2626Plugin URI: http://piwigo.org/ext/extension_view.php?eid=441 
     
    3434 
    3535include_once(dirname(__FILE__).'/init.php'); 
    36 ?> 
  • extensions/user_tags/maintain.inc.php

    r20252 r20762  
    4040  } 
    4141} 
    42 ?> 
  • extensions/user_tags/public.php

    r20251 r20762  
    3535                  array($t4u_ws, 'addMethods') 
    3636                  ); 
    37 ?> 
Note: See TracChangeset for help on using the changeset viewer.